Passwords: Sharks Can Smell a Breach a Mile Away
2013 is not shaping up to be a banner year for Internet security. 2012 saw data breaches like 6.5 million LinkedIn password hashes leaked, 420,000 member accounts from social network Formspring, Yahoo! Voices more than 400,000 usernames and passwords, 1.5 million passwords from the online dating site eHarmony. Twitter is the latest system to suffer an embarrassing security breach with accompanying data loss. Approximately 250,000 accounts holders have had their usernames, email addresses, session tokens and encrypted/salted versions of passwords stolen. Twitter has been as proactive as possible it seems. They updated the passwords for all effected accounts, revoked session tokens and emailed the users. I find the tone of the official statement from Twitter interesting. They are quick to point out similarly compromised organizations, most notably New York Times and Wall Street Journal. Still, I think this is more than an attempt at deflection. Instead, Director of Information Security, Bob Lord is trying to be adamant about the seriousness of not just this security breach, but of the general state security across the Internet.
This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users. - Bob Lord
Perhaps the most salient points in the article come in the form of links to an advisory from the U.S. Department of Homeland Security and FTC’s guide on passwords. The surprising notice from Homeland Security urges everyone to disable Java in their browsers! Now, this has been a recommendation from some sources for years. For example, Mac OS X 10.7 removed the Java runtime from the bundled software. Also removed was Rosetta, a bridging application that allowed the running of programs that were designed for the older PowerPC architecture. As for passwords, to paraphrase the linked FTC article:
- Don’t use your name, birth date, children's names, birth dates or those of your cat.
- "Make your password at least 10 to 12 characters long, and use a mix of letters, numbers, and special characters". This is up notably from the standard of eight characters that held for many years.
- "Don’t use the same password for multiple accounts".
- Don't share your password with anyone. Same goes for the ole PIN number and bank account information obviously.
- RoboForm Everywhere
RoboForm has been around for at least 10 years and it's not going anywhere based on the price point (~$10) and functionality. Although you have to update your information from the desktop client, you can access your secure data from any device.
- Kapersky Password Manager